Your practice has tough decisions to make when allowing your staff to handle patients' private health information (PHI) while working from offsite locations.

You may need encryption, you may prevent them from working on their personal laptops when dealing with PHI, or you may even allow only remote work when it is done for emergency purposes. But whatever be the case, you need to communicate your privacy expectations to your employees.

Glenn Allen, information security director with Fairview Health Services in Minneapolis, Minn, presents this sample document which would serve as a guide:

Guidelines for the Remote Worker:

When an employee is working remotely, the concerned organization is exposed to risk of privacy and security incidents and breaches. The organization takes great care in protecting the privacy and security of its paper and electronic systems to safeguard its patients' and other confidential data. Therefore, even the remote workers must take the same care. Below are some PHI security tips for remote workers:
Use only currently supported operating system with all available security patches (e.g., XP or Vista). Use auto-updating antivirus software for better effectiveness. Antivirus with outmoded virus definitions has brought down its effectiveness. Use a properly configured firewall, along with a properly configured router between your equipment and internet connection that can help in increasing your protection. Be cautious when using shared computer equipment to access the organization's resources. The computer you share can accidentally be exposed by others. It would be sensible if you limit access to the equipment used to connect to the organization, unless you are aware what others are using the computer for. Do not use any form of file sharing programs on the equipment used to connect to the organization's resources. Many file sharing programs can be used to open or share folders and files on your own computer even if the user doesn't require to. Seek guidance from your operating system vendor on safe computing. There're many OS vendors (like Microsoft) who provide great resources for both end-user and IT professionals. Just following a link in an email to a hostile site can harm your computer. So never reply to open links in and don't attempt to unsubscribe to unsolicited emails. If there are any security concerns then report to your manager or the IT department immediately. Comprehensive steps must be taken to ensure that only programs that are directly related to the employee's business purpose are run while being connected to the organization's network. Keep your monitor in such a position, that the unauthorized person/s cannot view the screen. Make sure that the user ID and/or passwords are not be shared or written, taped or stored on the computer/laptop, in the computer bag or in any other location related to the computer. Be careful when printing confidential documents and make sure that you are connected to the correct printer and that you are able to retrieve any confidential documents immediately. Be cautious when using wireless hotspots. Some wireless hotspots may be run by corrupted individuals who are looking to steal/misuse data and equipment connected to the hotspot. The organization may inspect and monitor data and communications at any time. This includes monitoring network usage including contents, and examining files on any system that has been connected to the network. Be attentive when selling or getting rid of computer equipment. Remember to delete or properly dispose of drives so that others cannot access confidential data. Follow these steps for effective PHI security.